apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    app: apiserver
  name: apiserver
spec:
  selector:
    matchLabels:
      app: apiserver
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      annotations:
        ca_hash: {{ ca_hash }}
      labels:
        app: apiserver
    spec:
      serviceAccountName: service-catalog-apiserver
      nodeSelector:
{% for key, value in node_selector.items() %}
          {{key}}: "{{value}}"
{% endfor %}
      containers:
      - args:
        - apiserver
        - --storage-type
        - etcd
        - --secure-port
        - "6443"
        - --etcd-servers
        - {{ etcd_servers }}
        - --etcd-cafile
        - {{ etcd_cafile }}
        - --etcd-certfile
        - /etc/origin/master/master.etcd-client.crt
        - --etcd-keyfile
        - /etc/origin/master/master.etcd-client.key
        - -v
        - "3"
        - --cors-allowed-origins
        - {{ cors_allowed_origin }}
        - --enable-admission-plugins
        - NamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck
        - --feature-gates
        - OriginatingIdentity=true
{% if openshift_service_catalog_namespaced_service_brokers_enabled | bool %}
        - --feature-gates
        - NamespacedServiceBroker=true
{% endif %}
        image: {{ openshift_service_catalog_image }}
        command: ["/usr/bin/service-catalog"]
        imagePullPolicy: IfNotPresent
        name: apiserver
        ports:
        - containerPort: 6443
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        volumeMounts:
        - mountPath: /var/run/kubernetes-service-catalog
          name: apiserver-ssl
          readOnly: true
        - mountPath: /etc/origin/master
          name: etcd-host-cert
          readOnly: true
        readinessProbe:
          httpGet:
            port: 6443
            path: /healthz/ready
            scheme: HTTPS
          failureThreshold: 1
          initialDelaySeconds: 30
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 5
        livenessProbe:
          httpGet:
            port: 6443
            path: /healthz
            scheme: HTTPS
          failureThreshold: 3
          initialDelaySeconds: 30
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: apiserver-ssl
        secret:
          defaultMode: 420
          secretName: apiserver-ssl
          items:
          - key: tls.crt
            path: apiserver.crt
          - key: tls.key
            path: apiserver.key
      - hostPath:
          path: /etc/origin/master
        name: etcd-host-cert
      - emptyDir: {}
        name: data-dir
